Saturday, December 15, 2007

"Entrapment" Meets "Ocean's Seven"

Before I start this post, let me make one thing clear: I hate terrorists. I think terrorists and criminals that actively plan to reduce the quality of our lives and destroy things precious to other people are the lousiest creatures on the planet.

Now that this is understood, let's discuss the Miami Seven, aka "Ocean's Seven".

That group of supposed would-be terrorists was handed a combination of acquittals and mistrials yesterday by a jury of their peers when defense lawyers were able to suggest that, absent the presence of government agents, there exists a reasonable doubt that there never would have been a crime worthy of prosecution.

Maybe it's the fact that this is taking place just an hour away, but this case has concerned me from the start. This is Ocean's Seven played by seven hapless saps, with a government stooge standing in for Andy Garcia.

As Albert Levin summed up for the defense:

"The entire situation was concocted by the government. The warehouse was paid for by the FBI, and the defendants moved their operations there at the suggestion of an undercover informant who was also paid by the FBI. The [Al-Qaeda] swearing-in ceremony was led by the informant — who at another point also suggested a plan to bomb FBI offices in Miami. The case was written, produced and directed by the FBI."

Now I'm a big fan of the FBI and I'm extremely thankful that these guys exist. But when I take this case and extrapolate this case into the world that I work in - Internet crime - what emerges is a really lousy picture.

Imagine or a moment the government decides that Internet crime needs to be "managed" the same way - by embedding agents and encouraging criminal activity.

In this scenario, the government agent rents an office, recruits computer programmers, moves them into cubicles, gives them PCs, connects them to a network, trains them, guides them, and then encourages them to develop a bunch of malware and unleash a sophisticated criminal action against consumers.

At which point they become criminals.

Assuming the FBI guy is the smartest guy in the room (and a natural leader, whom people feel compelled to follow), should the hired programmers be considered "criminals" or "feckless* pawns"?

As much as I hate terrorists, I hate "fake crime" so much more. Albert Levin made the right summation for the defense. Jeffrey Agron, foreman, and the rest of the jury in Miami, made the right call, regardless of the potential any of these individuals may have had for evil.

Inducing criminals to conduct a crime is the wrong way to reduce terror and the absolutely worst way to run a police force.

The FBI can serve us better by reporting on crime and prosecuting criminals, rather than encouraging the progress of would-be criminals.

Contrary to prosecutor Jacqueline Arango's statement, in which she said "The government need not wait until buildings come down or people get shot to prove people are terrorists" - I'm sorry, but you really do need to wait.

Because a lot of the time, when people say they plan to do something, they don't. Not without a strong leader. The FBI should leave the big talkers underfunded and discouraged - that's the best way to fight crime.

*My thanks to Doug Brunt and Megan Kelly for their introduction to the word "feckless" earlier this evening. "Feckless" (i.e. feeble and/or ineffective) describes this group of would-be criminals precisely.

Sunday, December 9, 2007

How To Turn Off Facebook Beacon

Facebook CEO Mark Zuckerberg reacted to angry users this week by issuing a public apology and adding a privacy control web page for Facebook users.


Checking "Don't allow any websites to send stories to my profile" turns off Facebook Beacon and your purchasing choices (i.e. "John Sharp just rented Pride and Prejudice at Blockbuster") will no longer be published to your friends' News Feeds.

This is a welcome step, but it didn't need to be this way. All Facebook needed to do was take a step to the other side of the table and "think user".

It isn't that hard. Take this user posting from "Adam" in the comments section of the recent NY Times article on Beacon.

In less than a hundred words, he provides an articulate and sensible accounting of all the necessary UI components Beacon would require to be acceptable. Here's a sample of some good "think user" thinking:

Had Facebook included a global opt-out option at the beginning, the outcry would have likely been muted. Coupled with an opt-in-by-item with a STRAIGHTFORWARD yes/no, Facebook users would have been happy, privacy advocates would have been happy, and so on.

I mean, something like this:
“Would you like to let your Facebook friends know that you just bought [x] from [y]?
_ YES, SHARE. List this in my friends’ newsfeeds.
_ NO, DON’T SHARE. Keep this private.

NOTE: You can click on PRIVACY in Facebook to set a default for this feature.”

Adam, maybe they should give you Chris Kelly's job.

Facebook isn't out of the woods yet. There is still the question of what happens to user data provided by the user.

In Zuckerberg's recent blog/apology, there was no mention of any changes to their method of dealing with user data, and no clarification as to whether or not the personal data provided by the user is deleted immediately, rather than "stored, then deleted".

In a recent statement released by Facebook to Stefan Berteau, senior spyware research engineer with (Authentium partner) CA, Facebook says user data is always sent to Facebook ("in order for Facebook to operate technologically"), but that data will be deleted from its servers, once they receive the news that the user has opted out.

"When a Facebook user takes a Beacon-enabled action on a participating site, information is sent to Facebook in order for Facebook to operate Beacon technologically. If a Facebook user clicks "No, thanks" on the partner site notification, Facebook does not use the data and deletes it from its servers. Separately, before Facebook can determine whether the user is logged in, some data may be transferred from the participating site to Facebook. In those cases, Facebook does not associate the information with any individual user account, and deletes the data as well."

I look forward to seeing Berteau's follow-up Wireshark capture logs and analysis. It would be nice to find out that Facebook has kept its word on the changes.

Note: Facebook users, here's that link again.

Saturday, December 8, 2007

Man Loses $20,000, eBay Says "Not Our Problem"

Shaqir Duraj appears to have become the latest person to lose money to an eBay fraud.

CBC News reports that Duraj, a Calgary bakery owner, lost $20,000 last Thursday, after purchasing a car at a site that he thought was eBay Motors. The sale later turned out to be a hoax.

This sounds like a replay of that incident - in which a US-based eBay customer lost over eight thousand dollars when she purchased a fictional Jeep Cherokee via a fake "eBay Motors" site that was downloaded onto her computer by the BayRob Trojan.

eBay has obviously decided what its strategy is going to be re customers who get taken by elaborate electronic scams that use the eBay brand - blame it on the Internet.

In fact, after hearing about the $20,000 theft, Erin Sufrin, Public Relations Manager at eBay's Canadian subsidiary, told Canada's CBC News, "That's an internet problem, not an eBay problem."

She went on to offer the following advice:

"Spoofing and phishing is something that we're all a victim of and that we try very hard to combat — trying again to get that education out. Never click on — if you think it's a fake eBay, or a fake PayPal or a fake anything site, report it."

Ms. Sufrin added, "eBay is working with the RCMP to get help for customers scammed out of large amounts of money."

According to the CBC News web site, this contradicted a Royal Canadian Mounted Police fraud investigator who told CBC News no one from eBay had returned his calls.

Am I the only one who thinks eBay customers deserve better?

Note: eBay *only* covers frauds up to $20,000 that take place on the eBay Motors site. Frauds that take place outside of the eBay environment (regardless of whether or not your thought you were inside the "real" eBay environment at the time) are *not* covered by the terms and conditions listed on the eBay Motors site, specifically:

"The eBay Motors Vehicle Purchase Protection (VPP) program provides protection of up to $20,000 against certain losses associated with some types of fraud. You are automatically enrolled in the program at no charge when you complete the purchase of an eligible vehicle on the eBay Motors site (motors.ebay.com)."

Update 1: On Thursday, PR Manager Erin Sufrin added some new details, saying that the scam involved a BMW and a hijacked high-rated seller account (not a downloaded BayRob version of eBay Motors). She added that a "warning" was sent to Duraj.

Further Q's for Ms. Sufrin: Was the warning sent by eBay-branded email? If so, should Duraj (the buyer) have assumed the email to be a hoax email? Or should he have assumed it to be real? Also, isn't it reasonable to assume that payment instructions from a seller with a 98% (high) reputation should be trusted?

"Cyber Attackers" are Looking for PII, Not Nukes

The headlines keep coming about the news that several high-profile military labs - including some of the world's leading nuclear research labs - have been compromised by phishing scams. Unfortunately, many of these headlines are missing the point.


Example: In one story published today, PC World claims that Chinese Hackers "launched" a coordinated "major attack" on two US Military Laboratories.

This is almost certainly *not* what happened. According to most of the published data, this was a phishing attack, plain and simple.

Case in point: The "FTC" phishing scam, cited by ORNL reps. As I blogged yesterday, this scam has been around for months, and is extremely widespread. In fact, Authentium's malware lab analysts first reported this scam in March.

The scam typically targets the capture of PII (Personally Identifiable Information) - such as the data that appears to have been stolen from the Oak Ridge Labs visitor database.

Need more evidence for the theory these are phishing scams, rather than coordinated, military-style attacks?

According to a link on the PC World web page hosting this article, those very same "Chinese hackers" are also hard at work "attacking" major oil companies and manufacturers of jet engines (check out the above link in the posted image under "Related Content", entitled "Chinese Hackers Accused of Attacking Shell, Rolls-Royce") .

Does anyone really think there is a coordinated attack going on right now against the US Military, Rolls-Royce, Shell Oil - and consumers?

Folks, the real story is, in some ways, far more scary than the one being reported by PC World.

It would appear, unfortunately, that we now have evidence that really smart people fall for phishing scams too - and sometimes those smart people happen to have a large database on their network filled with the personal information of other really smart people.

And sometimes, databases filled with nuclear secrets.

Update: To Steve B's point, these DBs *are* air-gapped, but physical separation is only successful if policies are adhered to - see comments below.

Let me repeat what I said yesterday: the technology exists to stop these kind of attacks. And some of that technology can be used in really simple ways.

Firewalls and email servers, when configured correctly and used in conjunction with robust filtering technologies and/or services located either in the DMZ or inside a secure MSSP data center, can provide a useful first-level defense.

Note: One additional approach used by some IT administrators at ISPs and businesses is the wholesale blocking of IP addresses, or super-blocks, based on the country or region originating the email.

You need to be careful when taking this approach - for example, Australia and China share the same registry (APNIC). But as an additional defense mechanism, it probably should be on this list for consideration.

Which of course leads to the obvious (political) question: Do folks that work at sensitive places like Los Alamos or the Oak Ridge National Laboratory *really* need to be able to receive email from China?

Friday, December 7, 2007

Phishing Attacks Fool 1% of Nuclear Scientists

The Secretary of the Department of Homeland Security, Michael Chertoff, announced today that IT systems at the Oak Ridge National Laboratory have been compromised by phishing.


Secretary Chertoff confirmed the attacks Friday and added:

"Thieves made approximately 1,100 attempts to steal data with a very sophisticated strategy that involved sending staff a total of seven 'phishing' e-mails, all of which at first glance appeared legitimate."

A DHS spokesperson further confirmed:

"...
the hackers potentially succeeded in gaining access to one of the laboratory's non-classified databases that contained personal information of visitors to the laboratory between 1990 and 2004.... the personal information at risk includes names, dates of birth and Social Security numbers of the visitors..."

According to ABC News, one of the fake phishing e-mails appeared to be an announcement for a scientific conference; the other claimed it was a notice of a complaint on behalf of the Federal Trade Commission.

The internal investigation of ORNL, which is ongoing, has so far found that approximately 11 employees out of 1100 targeted "took the bait" and opened the e-mail attachments, "which enabled the hackers to infiltrate the system and remove data."

In other words, phishers scored a hit rate of 1% against employees at one of the world's leading nuclear research facilities.

Let's discuss. First of all, if the target is a consumer, any form of well-crafted phishing attack, such as the recent FTC letter scam, can be called "sophisticated." Consumers are typically not well protected and do not have large IT budgets and enterprise-class filtering systems at their disposal.

However, if you're a four-thousand person enterprise like ORNL, this attack is inexcusable.

Secure Computing, Postini (Google), Microsoft, WebSense, MessageLabs - there are literally hundreds of ISVs and service providers out there, many of whom partner with Authentium, that are highly capable of providing extremely robust, and affordable, email filtering services that can and will prevent these emails getting to in-boxes inside sensitive government facilities.

And then there are emerging technologies such as Raytheon SureView that enable recording, rapid response, and treatment of behavior contrary to an enterprise's security policy, such as clicking on attachments in emails.

Authentium to ORNL: these phishing attacks were "consumer-grade" attacks. Technology exists to stop them. There is no excuse for allowing these attacks to occur within the walls of one of the world's leading scientific facilities.

Note: If you have visited ORNL within the last five years, you should probably give them a call and find out if your data was housed in the database that was compromised. You can do this by contacting ORNL Visitor Services at 865.574.7199.

Wednesday, December 5, 2007

EV Certs Don't Stop Phishing

Earlier this year, Netcraft published a survey that showed more than there were more than 600,000 "secure sites" capable of hosting an SSL session on the web.


To quote Netcraft, "The first survey, in November 1996, found just 3,283 sites; since then, the number of SSL sites has had an average compound growth of 65% per annum."

As an indicator of commercial activity, I think this is a useful survey. If you accept the premise that mergers and acquisitions lead to less new certificates being issued, then the growth in e-commerce may actually be in excess of 65% annually.

Which brings me to the biggest potential failure on the SSL roadmap to date: EV Certs.

The recent launch of EV (Extended Validation) merchant certificates by Microsoft, Verisign and others has not exactly set the world on fire. By May this year - the last time data on EVs was published by Netcraft - the total number of EV certs being utilized by Internet merchants was just 700, or 0.1% of the total.

There's a good reason for this: EV certificates don't work.

They don't stop phishing, they don't communicate well to users, they do away with the SSL padlock, and the whole thing is so easily spoofed, it may as well not be there.

You don't have to take my word for it - there is a scientific study available conducted by Standford University and Microsoft Research that backs this up.

The findings of the analysis were unequivocal: users paid zero attention to the green background applied to the address bar by the EV cert:

"We presented a controlled between-subjects evaluation of the extended validation user interface in Internet Explorer 7. Unfortunately, participants who received no training in browser security features did not notice the extended validation indicator and did not outperform the control group."

The results improved slightly after a reading of the IE Help File, but then the group uncovered a second problem - the EV-powered address bar can be spoofed very easily, essentially rendering any investment in education, or pushing people to read the manual, completely valueless:

"Like its predecessor, the lock icon, extended validation is vulnerable to picture-in-picture user interface spoofing attacks. We found these attacks to be as effective as homograph attacks, the best known phishing attack."

They are absolutely right on this count. As our Chief Scientist, Helmuth Freericks, has previously warned, creating a spoofed version of this attack is rather trivial.

So how can consumers get their hands on real security? Obviously, there is a real need for innovation. At Authentium, we have spent three years designing a secure Internet browsing environment that does away with the need for UI gimmicks. In other words, we've followed the advice of Stanford and Microsoft researchers:

"Designing a user interface that resists both homograph and picture-in-picture attacks should be a high priority for designers of future browsers."

That's what our guys have done. To take a look, click here, or take a look at Corey's video about VERO and VirtualATM in the right-hand column.

Tuesday, December 4, 2007

IC3 Internet Crime Complaint Form Rates An A+

Earlier in the year I published a post about the Federal Trade Commission's Identity Theft Complaint Form.


At the time, I believed the FTC asked for way too much information, and risked becoming a serious secondary contributor to identity theft.

Unfortunately, nothing much has changed - as you can see from the above image, the FTC form still exposes way too much user information to any key-loggers and screen-scrapers running on your PC.

This is why I was very glad to find that the FBI have taken a different, and in my view far more sensible approach to logging reports regarding Internet crime.

There are two things I particularly like about the FBI site. The first is that it places emphasis on engaging with local law enforcement offices about the crime, including establishing a process for isolating who you need to talk to, and how you should contact them.

The second thing I like about this form is that it doesn't collect too much personal information to be a threat in and of itself. Only the reporter's name and address is captured. The rest of the data collection schema is clearly focused on collecting information designed to help resolve the crime, rather than information that could potentially further compromise the victim.

Authentium says: the FBI and their Internet Crime group deserve an "A+" for this service, and the design of the IC3 form. If you find yourself the victim of an Internet crime, and don't know what your next steps should be, this is potentially a very good first step.

Sunday, December 2, 2007

Coming Soon to Second Life: FBI Field Office

Second Life, the popular "virtual world" created and operated by Linden Labs, is certainly proving to be on the cutting edge of real/virtual legal issues.


First, back in May, German police launched an investigation into alleged inworld child pornography (this investigation ultimately seems to have subsided in the wake of the recently-announced deal between Linden Labs and Washington DC-based age-verification company, Aristotle).

Then ten days ago, virtual thieves stole at least US$11,500 in *real money* from avatar-customers of virtual banks located inside Second Life.

According to Nobody Fugazi, an avatar/commentator who runs a Second Life fan site called your2ndplace.com, the hacked Second Life banks included L&L Bank and Trust, SL Investor's Bank, Giovinazzo Choice Investments, Whitfield Holdings/Royal Invest and SL Business Bank.

L&L Bank and Trust has admitted they lost $11,000. Nobody Fugazi was quoted on Massively.com as saying he believed SL Investor's Bank did not suffer any losses.

When the news broke, users, who spend about US$1.5mm in real money every day in Second Life, were understandably upset (one blogged that "the sky ripped apart" when he found out the theft had happened). Second Life citizen "Gr1zz" left this response, not untypical, at Massively.com:

"I have alwase felt virtural property IS PERSIONAL PROPERTY! Wether you work long and hard for in game credits, or purchase them with real dollars, its damaging when you loose it. "

Spelling mistakes aside, this comment raises some interesting questions about Second Life, the nature of its assets, how its citizens feel about those assets, the duty Second Life has to protect their value, and the whole idea that an entire economy and banking environment based on the US$ should be allowed to exist, regulation-free.

$11,000, the "real" amount publicly acknowledged as lost by L&L Bank and Trust, would probably not normally be a large-enough amount for the FBI to get involved, but if they don't get involved, what is going to happen when things get serious?

Authentium says: the FBI should consider treating these virtual heists as real crimes, so we're ready and prepared when the first large-scale virtual heist happens inworld, which may be for a considerable amount more Linden dollars than the heists two weeks ago.

Note: Anyone wishing to peer inside the mind of a Second Life bank should venture here for an informative read, courtesy of the SL Investor's Bank blog.

Note: The chart above is courtesy of the Reuters inworld Second Life news office. To see the live updating Linden dollars vs. USD conversion and daily spending widgets, click here.

Saturday, December 1, 2007

FaceBook's CPO Should Step Down

Facebook announced this morning that they are in the process of modifying Beacon, their advertising service, so your shopping decisions will no longer be broadcast to your friends on Facebook, and your privacy re-respected.


This is a step in the right direction - and a big win for MoveOn.org and Internet activism. But Facebook's Chief Privacy Officer, Chris Kelly, should never have allowed Beacon to become a "consumer purchase broadcasting system" in the first place.

Try this simple test. Imagine you're at your local supermarket. You've finished shopping and you're placing stuff on the conveyor belt at the checkout counter, when suddenly the checkout clerk grabs a microphone and starts reading out the labels on your choices, item by item, broadcasting this information to every other person in the store.

Here's what your neighbors get to hear: Your food choices - including the items you just purchased for your special needs diabetic child. Your personal hygiene buying decisions. Your choice of magazines. Your alcohol and tobacco purchases. The flowers just just bought - hey, where is your wife? Are they really for her?

For a company that produces some pretty cool software, Beacon is about as uncool as it gets. Though there exist some obvious legal limits as to what can be broadcast - pharmaceutical or birth control purchases, medical treatments, insurance - there are still plenty of purchasing decisions that many of us would prefer remain private.

Example - the Facebook-Fandango link. I doubt that many people really want *all* of their friends knowing *all* of their content choices...

Everyone understands that Facebook needs to make money in order to keep operating. No reasonable person would deny that advertising is the right business model. But Beacon was really a step too far.

Everyone knows - and most people accept - that when you search on one of the major search engines, your actions will be tracked and recorded and added to a profile. Most people also understand that this purchasing data, like the data generated every time you shop at the supermarket, is an increasingly necessary part of business.

Without it, businesses cannot run as efficiently, or meet the needs of their customers as effectively, which ultimately means less productivity and higher pricing. That said, there is no precedent I can think of for the broadcasting of consumer purchasing choices to other consumers, either in the real world, or on the Internet.

This is the second high-profile, privacy-related incident faced by Facebook in less than a year. Authentium says: Facebook's CPO, Chris Kelly, needs to stop thinking about the bottom line and focus 100% on keeping personal information private - or he should step down and allow someone else to come in with a stronger consumer privacy focus.

In the event that you think I'm being a little harsh, Mr. Kelly had a chance to jump on the side of the consumer two days ago at the Commonwealth Club, but he presented himself as a Facebook executive first, and a consumer privacy advocate second.

Image from moveon.org.

Friday, November 30, 2007

HijackThis is Goodware

I occasionally get worried calls from friends saying they have seen our brand turn up on the Internet listed in a long list of programs under the heading "Hijack This".

This certainly does happen. A quick search on Google for "Authentium" will come up with several examples of logs created by folks who have downloaded and used the software, and discovered our software among other programs in their Startup menu.

Authentium says: stop worrying. "HijackThis" is a "goodware" utility program with an unnecessarily-scary name that is owned and maintained by Trend Micro. It enables consumers to quickly create log files containing details on all programs listed in their StartupList, and root out spyware and other potential nasties.

It's really something that only sophisticated users should use. As Trend Micro itself says, "HijackThis does not determine what is good or bad. Do not make any changes to your computer settings unless you are an expert computer user."

That said, it's a useful tool. Here's a short description from download.com:

If persistent spyware is bogging down your computer, you might need HijackThis. The tiny program examines vulnerable or suspect parts of your system, such as browser helper objects and certain types of Registry keys.

Pressing the Scan button generates a log of dozens of items, most of which are just customizations. Don't check off an item and hit the
Fix checked button unless you're sure it's malware.

Clicking
Info on selected item tells you why the entry was flagged as suspicious, but not whether it's actually malware. To find that out, search the Web for that item's name or go straight to a forum, such as SpywareInfo or Computer Cops. Saving the log creates a text document you can post to these forums.

The latest version adds powerful tools to the Config window. The process manager and hosts file editor help you excise virulent infections. The unique ADS Spy tool scans for alternate data streams, which some browser hijackers use to hide from spyware removers.

The program still installs into whatever directory in which you unzip the file, which can make it hard to locate. HijackThis is a serious tool for any user who needs to root out a serious infestation, but wield it with caution.

NZ Cops Praise "Bright and Gifted" Hacker

New Zealand police announced today they have, with the help of Dutch investigators and the FBI, apprehended an 18 year old resident of Hamilton, NZ.

The 18 year old is accused of creating - and selling to criminal gangs - an encrypted piece of malware that enabled professional criminals around to world to evade certain antispyware apps and cause more than $20 million in economic losses.

Martin Kleintjes, the head of the New Zealand Police Computer Crime Unit, knew exactly how to deal with this kind of criminal, and very quickly put him in his place:

"He is very bright and very skilled in what he’s doing. He hires his services out to others. [He is} one of the world leaders in terms of developing this sort of software - it’s absolutely first-class."

At the conclusion of this damning statement, sure to drive fear into the hearts of aspiring NZ hackers everywhere, Mr Kleintkes metaphorically patted the youth on the head, and sent him home to await a call back.

Test Question. You've just nabbed a bank robber that you're pretty sure has stolen $20m from a bank in downtown Auckland. Do you let him go home?

Despite the size of the crimes perpetrated, and the fact that the youth appears to have actively sought out criminal partnerships, the youth, known as "AKILL" online, is not facing an immediate stint in jail.

He has indeed been sent home by Mr. Kleintjes, pending further investigation. In addition, his identity has been protected, just in case some of the crimes he allegedly conducted happened prior to him turning 18.

Note: his crime was enabling identity fraud. Anyway see a contradiction here?

Authentium to New Zealand Police Computer Crime Unit: murderers can oftentimes appear intelligent and charming. That doesn't mean they should be mollycoddled. Cybercrime of this magnitude needs to be taken seriously and the perpetrators treated no differently than any other form of grand larceny, including bank robbery.

Consumers are sick to death of this kind of crime, and praise just leads to replication of effort. We need to start throwing the book at these guys.

Further note re this hack: Most sophisticated forms of antispyware or antimalware technology can detect encrypted malware of this type. Users should update to the latest available definition files regularly.

Tuesday, November 27, 2007

40% of Consumers Lose Trust in "Phished" Brands

YouGov and CloudMark have published a survey that brand managers might find worthwhile reading - not that they are likely to learn anything new. To the surprise of no one, brands, once phished, are no longer trusted by 40% of consumers.

From VUNet: "Banks' reputations were the hardest hit when it comes to phishing. Over 40 per cent of respondents said that a phishing email about their bank would put them off. A similar percentage felt the same about their ISP, 36 per cent about an online shopping site and 33 per cent about a social networking site."

That wasn't the most surprising statistic to me - according to the survey, only 26% saw it as a user-level problem, while fully 40% of those surveyed felt their ISP should be primarily responsible for stopping phishing attacks. From The Register:

One in four (26 per cent) of 1,960 adults surveyed reckon the main responsibility for protecting against phishing attacks lies with themselves, with a similar percentage (23 per cent) responding that their ISP ought to bear the brunt of filtering spam emails. A further (17 per cent) think the sender's ISP and email service provider holds the greatest responsibility in combating scam emails.

Also troubling is the news that VOIP-based caller ID spoofing (aka "vishing") appears to be well on its way into the mainstream of attacks in the UK as well. Here's Neil Cook, Cloudmarks's UK technology chief, quoted in the same article:

"If the recipient makes the call, it gets routed to a cheap VoIP answering system, which may have been set-up on a compromised host. The system captures the user ID and pincode to sell on to the highest bidder, who then has full access to your account. All the while the call seems very genuine. The reassurance of speaking to an individual rather than working online will lead to many instances of consumers falling foul to such threats."

If you've never set up a call center, this probably sounds like science fiction, but unfortunately, this kind of "vishing" is extremely easy to set up, very cheap, incredibly portable, and because it sounds so real and involves live call-center-like humans, rather convincing.

Full article here.

Saturday, November 24, 2007

"Koffi Anan" Email Scam

This morning I was forwarded an email from none other than "Koffi Anan", the former Secretary General of the United Nations.


Sadly, since leaving the UN, "Mr. Anan" has apparently forgotten how to correctly spell his own name. I guess it must have been the stress of the job.

That said, "Koffi" was considerate in wishing to apologize for all the email scams that have taken place under the masthead of the UN. He suggested that I contact a certain Mr. Jim Ovia at Zenith Bank Nigeria Plc, who has been instructed to forward me $150,000, no questions asked.

Folks, this ranks as probably the dumbest scam email I've ever seen. It is so outrageous that I'm left wondering if The Onion isn't somehow behind it.

If not, I take back everything I have said recently about criminals getting more sophisticated and intelligent, as a whole. Clearly, some criminals are evolving at a considerably slower pace than others.

Everyone, Authentium says: beware of any email that promises you money, or contains advice from a celebrity, or suggests you immediately contact a bank or lawyer you've never heard of because money is waiting.

Every single one of these emails is a scam, and if you respond, you're going to get duped.

Friday, November 23, 2007

BayRob Downloads Fake eBay to Desktops

The BayRob Trojan currently tormenting eBay Motors demonstrates some of the increasingly sophisticated tactics that online criminals are using to defraud eBay's customers.

Like most malware these days, BayRob appears to be primarily distributed in the form of a phishing email carrying eBay Motors branding. The Trojan is attached in the form of an image, which presents itself to the user as the image of a vehicle.

When the user clicks on the image, BayRob installs a web server, does a location search on the user's IP address, then launches the user's web browser and starts serving up fake pages designed to appear as if they are coming from eBay or CarFax or similar services.

According to Symantec, quoted by the Register, the web server is in constant communication with a "fleet of control servers" designed to mimic the auction site and constantly update the pages.

Consider for a moment what is happening here, from the end user's perspective. The end user's aim is to get a great car for a great price, from a trusted brand (eBay). The criminal's aim is to take money from the consumer without providing goods.

The criminal accomplishes this by using the trusted brand in combination with a reverse IP address lookup to place the cars in the fake ads just a little bit too far away from the user's home address. In this carefully-calibrated scam, the criminal has everything they need to control the user's action - control of price, control of the desktop, control of the transaction mechanism.

The sad part of this (or happy part, depending on how you look at it) is that there are solutions out there that can mitigate this eBay scam and remove the problem entirely.

Our technology, Authentium VERO, completely prevents these scams from occurring, by ensuring eBay pages are identified as coming from actual eBay web servers (not faked local web servers), and disallowing all other (fake) pages access to the user's web browsing environment.

For an example of how bad this might get, check out this story about how one potential buyer of a Jeep Cherokee lost $8,600 - and was unable to be compensated for her loss, because, according to eBay customer service, "the fraud happened outside of eBay."

Note: Symantec reports that one victim was recently almost scammed out of $10,000 but managed to track the money to its final destination - a Western Union outlet in Greece - and halt the payment.

Thursday, November 22, 2007

The Dardenne Prairie MySpace Suicide: Act 2

In his best-selling non-fiction work In Cold Blood, Truman Capote travels to the small town of Holcomb, Kansas and pulls together the tiny threads of a quadruple murder into a vast tapestry that entangles an entire society.

In the end, it's the detail, not the larger story, that reels you in. The larger story of the Clutter family murder fades into the background.

Right now, I'm betting there's a lone reporter sitting in Dardenne Prairie, Missouri, 75 miles northwest of St Louis, with similar ambitions, determined to pull together the story of the suicide of a teenage girl and the details of her tragic death following a fight, on MySpace, with her cyber-boyfriend.

The story started innocently enough a little over a year ago: 13 year old teenager Megan Meier meets 16 year old guy Josh Evans on MySpace.

According to several published news reports, including a story published today in the LA Times the chance meeting happened at a good time for Megan - she'd apparently become estranged from her previous BFF (Best Friend Forever), a girl that lived four doors down from Megan on Waterford Crystal Drive - and was struggling to overcome depression associated with the loss of her friend and bullying at school.

Lonely and depressed, Megan found a confidant in the "hot" young Josh Evans, and for several weeks, she poured out her heart to her new friend via the Internet.

Then one night, something changed in Josh. According to FBI transcripts quote in the LA Times, Josh sent Megan a nasty message, saying that he'd heard that she was a "terrible friend". The final message, not published, was, according to her father, along the lines of "Everybody in O'Fallon knows how you are. You are a bad person and everybody hates you. Have a shitty rest of your life. The world would be a better place without you."

Minutes later, Megan left her computer, took Josh's advice, and hung herself in her closet.

Upon hearing the news of 13 year old Megan's death the next day, the Drews and other neighbors in this town of 7,500 people rallied around and provided comfort to the Meiers. The Drews cried at the wake, and sent over cookies, and collectively, they tried to forget the terrible event of Megan's death.

And for weeks, this story ended right there - anonymous guy meets anonymous girl on MySpace and breaks her heart.

Then apparently one day, several weeks later, one of the Meier's neighbors came over to their house and told the Meiers a different version of events - one that they couldn't have imagined. The neighbor told them that Josh Evans was not a real person. That he was a fictional character created specifically for the purpose of targeting the emotionally unstable Megan.

He further informed them that this was no teenager-on-teenager fight: the character "Josh Evans" had been created by an adult - Lori Drew, the mother of Megan's former friend, and the Meier's friend and neighbor. The cooker of the cookies. The person who cried at the funeral.

Legan's mother reacted to this news as you might imagine anyone hearing of something so impossible - by screaming her lungs out and putting an axe through a foosball table that the Drews had asked her to store for them and depositing the pieces on the Drew's driveway.

The townspeople reacted as well - no one could believe it when they heard that Lori Drew had admitted that she had in fact invented the character, and created the messages - and monitored Megan's replies - with the help of her daughter and another friend.

Local blogs started up within hours, targeting the Drew's workplaces. The Drews found themselves shunned in the street. Death threats arrived.

But then, like any orderly citizens of a 21st century town, the good people of Dardenne Prairie calmed down, knowing better than to take justice into their own hands. They stepped back and waited for state, local, and federal law enforcement to step in, and make things right.

They waited. And waited.

But there was a problem. When law enforcement tried to step in, they discovered there was nothing they could do. There were no paths to justice for the Meiers. Cyberbullying, as this act is being called, is not defined under any law in any town, county or state jurisdiction applicable to the Meiers, or to Megan Meier's death.

Currently, Lori Drew has not been charged with any crime. She is still turning up for work and will likely continue to do so. Sure, some cars still speed pass the Drew house in the middle of the night, filled with people shouting "murderer!", and there has been some property damage to their house, but for the most part, the Drews are untouched, and unaffected.

Meanwhile, the Meiers family has been decimated by the tragedy. Ron and Tina Meier have split up and are now living apart, considering a divorce. Lawyers are attempting to move things forward. No one sleeps in the house on Waterford Crystal Drive anymore.

-----

Earlier this year, Alex Eckelberry and others, including myself, and Robert Sandilands at Authentium posted a number of blogs about the injustice faced when cybercrime charges were brought against a school teacher in Norwich Connecticut around an incident that was obviously caused by malicious javascript.

The Meier case is different. In this instance, we have a clear example of potentially the first case in which a false online identity is used by an adult to induce suffering in a real child, resulting in her death. That the incident involved a bullying fictional identity and not a bullying real person is apparently not covered by any applicable law. Not yet.

Here's my "small change." I'd like to suggest that the mayor, the state law enforcement officials, and the county law enforcement officials start lighting a new fire under this case by boning up on how MySpace works - because I suspect that if they can prove that the communications sent by "Josh Evans" to Megan Meiers went through the MySpace servers in Los Angeles, or some other out-of-state data center, then I think they have a case they can hand to the FBI.

Parry Aftab has suggested the federal Telecommunications Harassment Law may apply. I have no doubt that the FBI's federal cybercrime division will find an applicable statue they can use to enforce justice. And I have no doubt that there is a tremendously interesting story still to be played out in Dardenne Prairie. We're just at the start of Act Two.

7.25 Million UK Families + MailMerge = Problem

As you already know, this week, the UK Government lost two disks in the mail that contained the personal information of 7,250,000 families, or 25,000,000 individuals, including, in many cases, their banking information.

Ho-hum, I hear you say. This "lost data" stuff happens all the time. It won't affect me.

I understand this reaction. Subconsciously, most of realize that by now, statistically, our personal data, including that of our family members, has probably been stolen or misplaced multiple times. And because we can correlate that with the additional fact that there is still money left in our bank accounts, we think, "why worry"?

Here's why we should worry: Things are about to get really rough in the identity theft market. The reason? Online criminals are starting to discover the power of database mining and targeted marketing. Consider the "Better Business Bureau" phishing scam of earlier this year.

During this scam, I received a phishing email that I'm ashamed to say almost fooled me - a security professional. Why? Several reasons. First of all, the email was very well-formed, and it was not flagged as coming from an IP address associated with any previous phishing activity.

But most importantly, this scam email addressed me personally - by my correct name, my correct title, the name of my company, and our address - plus, it contained a plausible premise that any business owner can relate to - a complaint from a customer who has not yet received the goods that he ordered.

In other words, it was targeted - and, unlike the amateurish and non-targeted "Dear Sir" emails from the wives of defense ministers of deposed dictators offering 25 million dollars in return for an email address, it had a good shot at fooling a reasonable percentage of the 29 million small business employees in the United States.

Most industry analysts believe the data was "scraped" from LinkedIn, ZoomInfo, Plaxo, or some other business-oriented social networking site. It doesn't matter. Social networking is just a fancy name for what you do using a "database interface". "Social Network Engineering" is where these crooks are headed.

Since the BBB scam, we've seen a few copy-cat attempts at replicating its success in our labs, but none yet aimed at a specific user population or brand. This what scares me about the situation regarding the data theft in the UK - and phishing in general.

Assuming these disks have indeed fallen into the wrong hands, it is probable that right now, schemes are being crafted by data-smart criminals that will utilize the personal data of these families to fool them into thinking that a counterfeit piece of communication from a criminal is actually coming from a trusted government body.

So how does the UK government now tell these people not to worry? Not by email - email is dying as a communications medium. By phone? Not the best idea - see my earlier posts on VOIP-based caller-ID spoofing. By snail mail? Heard of MailMerge?

So have the criminals.

If I'm wrong, then we can all pour a cup of tea and go back to being complacent. But if I'm right, and the criminals decide to get rich quick, rather than milk this opportunity over the long term, banks, online trading companies, credit unions, and other financial service providers - including Revenue, and other government departments - could be in for a rather bumpy ride.

Note: There are some practical steps we need to start taking. Authentium strongly advises consumer banks, credit unions and other online financial service providers to refrain from telling their customers that personalized emails can be trusted. Some of your web sites still suggest that personalized emails under the bank's letterhead should be trusted. This is very poor-quality advice.

Tuesday, November 20, 2007

Enabling Premium Online Banking Services

Back in 1959, American Express issued their first charge card. Then in 1966, they introduced the Gold Card, and in 1984, the Platinum Card. This was followed up by the introduction of the Centurion, or "black card" in 1999. Coming this December: the American Express "Plum" card.

Where am I going with this?

The regular introduction of a new premium service tier has proven to be a huge success for American Express. For an increasingly large percentage of the American Express member population, annual service fees have risen from $6 in 1959 to more than $2,500 annually for a Centurion Card today (not counting the $5,000 account activation fee).

Clearly, offering premium service tiers generates revenue. So why is it that no online banks are lining up to charge me a $200 annual fee for "Platinum Online Banking"?

Jim Bruene, who authors the Online Banking Report, believes 2008 is the year that "Platinum" premium online service programs will take flight. In fact, Jim lists "Premium Online Banking Services with a Security Emphasis" third in his list of the Top Fifteen Marketing Tactics for 2008 in his 2008 Planning Guide.

Currently, several banks offer security software suites to their consumers, and typically they earn a bounty on each purchase. However, selling a non-sticky retail product-in-a-box doesn't promote retention - consumers can use the product regardless of whether or not they remain loyal to the site they got it from.

What is needed instead are attractive services that promote lasting relationships, based on technologies that securely and persistently link consumer devices with the bank's infrastructure.

Example 1: Real-time information widgets that update rate information, account transactions, security alerts, investor tips, and financial news - in real time, right on the consumer's desktop.

Example 2: Data backup and restore software, as enabled by our partners FarStone and IBM CDP. This service leverages the bank's extensive IT infrastructure to keep secure and provide access to statements, records of web sessions, expense reports, scanned documents, and "create-once, administer-remotely" personal banking profiles.

Example 3: ID Theft Prevention software, such as our own Authentium VERO Virtual Desktop and Virtual Browser (called VirtualATM in some markets) - software that only runs if first "recognized" by the banks infrastructure, and allowed to execute on the consumer's machine.

I could go on, but you get the idea: software now exists that can add value to a bank's infrastructure, and justify offering a premium service tier consisting of security offerings and services that leverage the bank's existing assets and proprietary market intelligence.

Note 1: If you haven't read Jim Breune's 2008 Online Banking Report Planning Guide yet, I strongly recommend you head over to Jim's Online Banking Report site and buy a copy - this guy is one of the hardest-working people in the industry.

Note 2: Marketers, here's a great story - Amex originally set their $6 annual fee a dollar higher than Diner's Club so they could position their card as the "premium offering".

This initial positioning exercise has to rank as one of the most successful marketing decisions ever taken in the finance industry.

Sunday, November 11, 2007

eCrime is not yet Organized

Fact: Criminals have become quite adept at stealing your personal information via the Internet.

Malware designed to secretly steal personal information is currently resident on millions of computers. Millions of bank customer records are available for purchase from corrupt BPO (Business Process Outsourcing) employees in India and elsewhere for a few dollars per record.

Online criminal gangs have proven their ability to regularly break into databases and pull down millions of customer accounts, including credit card details and other personal data. Phishing scams regularly fool thousands of people into revealing their personal information and banking details.

Q. So why aren't these activities bringing down major banks or retailers?

I believe the answer lies in the fact that ecrime is not really organized - yet. While the criminals have become adept at malware manufacture, they are not yet data-parsing geniuses.

Currently, the sheer volume of data being collected, and the current inability of criminal gangs to parse the data they are collecting, means they are unable to target individuals based any useful analysis of that data, such as "net worth", "timing of deposit activity", "statement viewing frequency", or similar paradigms.

However, I think that's about to change. And so do most of the executives I've spoken with at Authentium's customer and partner companies.

In the same way that common criminals currently case a physical bank, or shopping mall, for the right time of day to perform a heist, I believe online criminals may soon start casing online accounts for "spiky activity", such as an executive's payday, or an investment banker's end of year bonus.

Why is such analysis required? Take the typical current account. Many families and small business owners use their current accounts for bill payment.

For much of the month, these accounts sit empty - but at the right time in any given month, these accounts may contain both rent and payroll. At that moment, a stolen "user name and password" combination is more valuable than at other, leaner times - a fact that I'm sure is not going unnoticed by carders and other middlemen.

Right now, there is no compelling evidence that criminals are yet using these sophisticated methods for frauds. However, there is little doubt that, over time, criminals will begin adopting these methods. It's just pure Darwinian logic.

In the future, uninformed criminals lacking information on the right time to "hit" accounts ultimately end up expending a lot of effort for little or no gain. These criminals will eventually go out of business.

The more organized and "informed" criminals (i.e. those capable of processing their data) will grow in sophistication to the point where they will be able to visualize exactly the right time to attack a bank located, say, in a second-tier city, in which a majority of the employees are paid by two large companies on a certain date.

If I'm right, then we could be experiencing a period of calm ahead of what could prove to be quite a storm of activity.

Saturday, November 10, 2007

Alicia Keys Unplugged: The MySpace Hack

The Alicia Keys MySpace hack has been in the news this week. Several researchers, including Chris Boyd, and our friends over at (Authentium partner) Sunbelt Software, have blogged about this attack. Roger Thompson at Exploit Prevention Labs recorded a video of the hack.



The hack uses an interesting approach. A large transparent image (8000 x 1000 pixels) is inserted into the page containing a hyperlink. Clicking anywhere on the page, other than on a legitimate link or an image with a higher z-index, places a GET request to a malware server in China, which then offers up a dialog box , inviting the user to install a new codec in order to properly view the content they are requesting.

Chris Boyd, Director of Malware Research over at spywareguide.com, recently blogged about a series of similar attacks on the sites of other musicians, and provided this snippet of code for those interested (note: the URL shown here is the same as the URL mentioned by Thompson):


The codec isn't required and doesn't exist, or course - and as Thompson demonstrates in the video, you don't have to click on the dialog box to be "owned": you were owned the moment you made the first click on the page.

Q. So where does this lead?

Firstly, the Alicia Keys MySpace page is toxic until proven otherwise, and may suffer permanent damage. But what of the parent site itself?

Obviously, the social networking sites don't yet feel these forms of attack are bothering users enough to prove fatal, or overly-damaging to their brands. And there has yet to be announced a venture-backed social networking site based around a promise to scan all code and content.

But that doesn't mean the slow "drip, drip, drip" of user discontent hasn't started...

I'm not aware of any active research groups that are tracking defections away from MySpace, or any of the other social networking sites, based on a negative reaction of the user population to the presence of malware, but you have to wonder: at what point will the parasite cause the fatality of the host?

Medical researchers have studied and now understand the "parasite density" levels various organisms are able to tolerate up to the point at which a fatality occurs - but no corresponding data is available regarding how tolerant a user population might be of a highly-compromised social networking site.

Attention computer science grads looking for a thesis - here's a subject that should prove interesting: At what point does a social networking site become so rife with malware that it can no longer survive?

My Dinner With Christophe

While in a the UK a couple of weeks ago, I got together with Christophe Langlois, editor of Visible Banking, and we had a wonderful dinner at the Red Fort, one of my favorite London restaurants.

At the end of the dinner, we headed back to my hotel for coffee and a demo of Authentium's financially-oriented social networking application, SecureTalk. Over coffee, we also recorded an interview about the rest of the applications in the Authentium VERO solution set.



Christophe had just returned from the inaugural FINOVATE 2007 conference in New York, a show set up by Jim Bruene, publisher of the Online Banking Report.

At the conference, Christophe interviewed a number of key players in the emerging world of Online Banking 2.0, including Aaron Patzer of Mint, Chris Larsen of Prosper, Peter Hazelhurst of Yodlee, Patrick Gannon of Lending Club, and Shawn Ward of Geezeo.

We talked about many of the innovations he'd seen at the show, including the large number of social lending companies vying for mindshare. One of the clearly emerging trends, "financially-based social networking" - an idea pioneered in the Web 1.0 world by Bankrate and Lending Tree, but now being taken to taken to new levels by the emerging companies on display at FINOVATE - is something every bank and brokerage that I've spoken with is watching closely.

One of my favorite sites in the area of social lending is kiva.org - a site many LinkedIn members will no doubt be familiar with.

I recently lent money through Kiva to the proprietor of a grocery store in Mexico, and thus far she has come through with the payments on time, and all appears to be going well with the business. If you have not yet signed up for Kiva.org, I recommend you take a look - I think you'll like what these guys are doing.

Back on social networking and banks, I noted with interest yesterday that Jim Bruene, editor of the Online Banking Report, has ranked financially-oriented peer-to-peer social networking among the top three marketing tactics of 2008 in his 2008 Planning Guide for online banks. Given the large number of venture-backed companies in attendance at his conference in this area, this is probably right.

Note on the video: To say our "set" was noisy, would be an understatement! But Christophe somehow managed to ensure the result was watchable. If you're interested in taking a look, and learning more about what Authentium is doing in the Online Banking 2.0 world, please click on the video above or go here.

AcidStorm is a Thief, not a Celebrity

Yesterday, in Los Angeles, a criminal admitted to tampering with a quarter of a million home computers, with the intent of eavesdropping on their communications, stealing their identities, and stealing money from their bank and PayPal accounts.

Yet despite his admission of guilt, and the vast number of people involved, the judge didn't remand this person to prison - the criminal was sent home to watch television and eat ice-cream until his arraignment, several weeks from now.

Huh?

Folks, we need to stop treating e-criminals like celebrities. Using computers to steal, rather than guns, does not make their motives any different from those of a common thug. It is time to do the public a favor and start putting these guys in the same cage as the people who rob banks using shotguns and getaway vehicles.

Consider again the facts: "AcidStorm", aka John Kenneth Schiefer, a 26 year old Los-Angeles based information security specialist, copped a plea yesterday and admitted creating a bot-net consisting of a quarter of a million computers. He admitted to stealing the identities of thousands of these unsuspecting users. He admitted to accessing PayPal accounts and online bank accounts.

According to published reports, it isn't yet clear how much money was stolen. But what is clear, is that his intent was criminal. This is underlined by events in Schiefer's past, which apparently include defrauding $19,000 from Simpel Internet in Holland, and admonishing an under-age colleague worried about stealing that he should just "quit being a bitch and claim it."

Nice.

Ask yourself this - if this theft has taken place at a "real bank", rather than via online banking interfaces, and had involved an attempt to steal actual dollar bills from the bank's cash register, would the perpetrator of this crime be out on bail?

Note to judge and Los Angeles Assistant U.S. Attorney Mark C. Krause: please try and forget the fact that this guy used computers to commit this crime. There is no longer anything sexy or interesting about online crime that demands these people be treated differently - their motives are no different than those of a safe-cracker or petty thief, and they place a heck of a lot more people at risk.

You should throw the book at this guy.

Update 1: According to scamfraudalert.com, the malware distributed by Schiefer contained "a sniffing feature that siphoned PayPal credentials from Protected Store, a section of Windows that stores passwords users have opted to have saved. Although Pstore, as the Windows feature is often called, encrypts the information before storing it, Schiefer's malware was able to read it, presumably by escalating its Windows privileges."

Update 2: Also from scamfraudalert.com - on one occasion, in December 2005, Schiefer moved money out of a Suffolk National Bank account to buy undisclosed domain names from a registrar by the name of "Dynadot".

Back on the Beat

It's been a massively busy couple of months at Authentium.

In addition to finalizing our 2008 budget, we've been putting the finishing touches to Authentium VERO (Virtual Environment Restricted Operation), our online banking security solution, and demoing the latest version to more than 50 customers and prospects on four continents.

I've barely had time to sleep, let alone post. But I'm back. And there is plenty to talk about.

Monday, September 3, 2007

Malware Drives 4% of PC Sales?

Last week, Rich Cameron, Authentium's COO, pointed me to an article in the latest Consumer Reports magazine.


The article makes an astounding claim, based on internal research - that US consumers and businesses *replace* 1.3m PCs every six months because of viruses and spyware.

"Based on projections from our survey, virus infections prompted 1.8 million households in the survey to replace their PCs in the past two years and spyware infections 850,000 in the past six months." - Consumer Reports, September 2007

Consumer Reports unfortunately didn't take the next step - i.e. determine the economic cost/value of these malware infestations. So let's start by annualizing the numbers:

1.8m / 2 years = 900,000 PCs replaced per year, in the US, because of viruses. 850,000 x 2 = 1.7m PCs replaced per year, in the US, because of spyware. QED: Total PCs replaced each year in the US because of malware: 2.6m.

The total number of PCs sold in 2006 in the US, including desktops, laptops and ultralights, was approximately 66m (IDC), or around 28% of worldwide sales. Assuming Consumer Reports is correct and malware was responsible for 2.6m of those sales, this means approximately 4% of all PCs sold last year in the Unites States were purchased as a result of these infestations.

Which further means that, at roughly seven hundred and fifty dollars per sale (NYT), retailers pulled almost $2bn in additional sales through their cash registers last year - as a direct result of malware.

Now, I'm not sold on the Consumer Reports numbers - they sound high to me - but I am intrigued by the economics. The next time I'm at Circuit City, or Best Buy, you can bet I'm going to ask around and see if there is support for this argument.

Sunday, September 2, 2007

Bank of India Site Hacked

Alex Eckelberry and the rest of our friends over at Sunbelt Software have uncovered the latest apparent victim of the MPack toolkit that I have been blogging about the past few weeks. This time, the compromised web site appears to belong to a bank: specifically, the Bank of India.


Sunbelt confirms that the compromised site was, at a minimum, serving up 31 different pieces of malware to the bank's customers (see full list below), via an embedded IFRAME hidden in the bank's landing page.

The Bank of India has confirmed the attack and its US web site is currently displaying an "under maintenance" sign. Sunbelt Software is reporting the attack began last Wednesday evening, but the bank says it is unaware of how long the web site was compromised.

This, and other similarities to attacks on hosting companies in Italy and elsewhere, including the US, point to the Russian Business Network, a criminal group responsible for creating MPack - a PHP-based malware-distribution system that can be designed to look like a legitimate web site administration tool.

Dancho Danchev is reporting that the attackers may have combined MPack with an exploit kit called n404. His analysis of the problem is worth reading and shows that the Fast Flux domain service, javascript obfuscation and multiple IFRAMEs may have been involved - here's an extract:

"At the bank's URL there's a link pointing out to goodtraff.biz (58.65.239.66) where an IFRAME loads to 81.95.144.148/in.cgi?10 whereas while accessing it we get response from 81.95.144.146, where we get the usual javascript obfuscation leading us to 81.95.144.146/at/index.php and 81.95.144.146/rut/index.php."

"Furthermore, the second IFRAME leads us to x-traffic.biz/ts/in.cgi?user0224 (which is a Russian Adult Traffic network) redirecting us to mymoonsite.net/check/version.php?t=167 (81.95.148.13) and a third one loading goodtraff.biz/tds/index.php (empty)."

"What does it mean? It means the Russian Business Network has not just managed to inject its presence on Bank of India's site, but is also using multiple-iframing as an attack vector, thus creating a fast-flux network with multiple campaigns..."


What is an IFRAME? Think of an IFRAME as a transparent "window" inside a web page that can be used to "frame" another web page located either on the same server, or on an entirely different server - in this case, a web page from a server in Russia containing 31 pieces of malware.

How invisible is an IFRAME? The answer is: totally invisible. Creating a transparent IFRAME is beyond easy for even a novice - hackers just need to set the IFRAME parameters such as "height" or "frameborder" to "0" and "background-color=transparent", etc, and customers are never going to see it.

How bad is the malware the bank's hacker web page served up? Really bad. Sunbelt and Panda report that "Pinch", a particularly nasty Trojan designed to steal personal information, was one of the pieces of malware served up to users. Here's the list that Alex posted up yesterday:

Email-Worm.Win32.Agent.l
Rootkit.Win32.Agent.dw
Rootkit.Win32.Agent.ey
Trojan-Downloader.Win32.Agent.cnh
Trojan-Downloader.Win32.Small.ddy
Trojan-Proxy.Win32.Agent.nu
Trojan-Proxy.Win32.Wopla.ag
Trojan.Win32.Agent.awz
Trojan-Proxy.Win32.Xorpix.Fam
Trojan-Downloader.Win32.Agent.ceo
Trojan-Downloader.Win32.Tibs.mt
Trojan-Downloader.Win32.Agent.boy
Trojan-Proxy.Win32.Wopla.ah
Trojan-Proxy.Win32.Wopla.ag
Rootkit.Win32.Agent.ea
Trojan.Pandex
Goldun.Fam
Backdoor.Rustock
Trojan.SpamThru
Trojan.Win32.Agent.alt
Trojan.Srizbi
Trojan.Win32.Agent.awz
Email-Worm.Win32.Agent.q
Trojan-Proxy.Win32.Agent.RRbot
Trojan-Proxy.Win32.Cimuz.G
TSPY_AGENT.AAVG (Trend Micro)
Trojan.Netview

Q. If IFRAMEs can be used to do bad things, then why don't security companies just look for web pages that contain an IFRAME and filter them out?

A. IFRAMEs are a good technology. They are used by millions of legitimate sites. Example: The world's most-trafficked web site - Google - uses IFRAMEs within the popups launched from its homepage. IFRAMEs can be extremely useful in the context of a well-managed, well-designed web site.

Q. How is it possible to infect thousands of web sites at once?

A. Here's a step-wise example of how hosted web sites get affected (my thanks to Robert and Eric and the rest of the Virus Lab team for their presentation on this last week):

Step 1. An over-worked web site administrator with zero budget goes looking for an easy-to-use free admin tool that will help him administer the growing number of web pages and/or sites he is managing/hosting.

Step 2. Searching online, the admin finds, either via Google Ads (yes, hackers buy AdWords too) or a web page, a terrific, full-featured tool that looks professionally-designed.

Step 3. The admin downloads the tool and installs it on his Apache web server, placing it inline with the web pages of his customers.

Step 4. Without the knowledge of the administrator, the toolkit begins surreptitiously inserting an IFRAME into every web page located on that server.

Step 5. An end user surfs to the web site of a trusted brand using a PC that has not be recently patched. Unfortunately, the landing page of the site now contains an IFRAME that points to an entirely different web server, and as the page loads, the invisible IFRAME, and the associated malware, loads with it.

Step 6. The user, his unpatched PC now 100% "owned", pours another cup of coffee, totally unaware that his personal data is now being migrated from his PC to a database in Russia.

Hosting companies in Italy - and their customers - have been hardest-hit by this fake admin tool approach, because the tool includes some rather clever "features".

For example, let's say a web site manager downloads and uses the MPack tool, then later discovers an IFRAME in the web page it was supposed to be administering - and removes it. The tool is smart enough to recognize this has happened and will surreptitiously replace the removed IFRAME without the administrator knowing.

The disturbing thing about all this is the likelihood that thousands of web site administrators will not read any of these posts, and continue to download MPack-based fake administration tools,
and infect tens of thousands more sites - including online banking and commerce sites.

What can you do to stop this happening? Authentium says:

1. Don't use free web site administration tools from unknown companies
2. Don't use web site hosting companies that use free tools - ask them for an audited list of what they are using, and ask them to include *all* software that touches your web site
3. Maintain up-to-date anti-malware software on *all* of your servers
4. Keep an eye on your web pages and especially on your (hopefully legitimate) IFRAMEs

Friday, August 31, 2007

Scary Monster

The theft of data from Monster.com is generating a significant number of new news headlines about spear-phishing attacks, including several, like this article in USA Today, that quote the investigations done by the team here at Authentium.

Financial gain is the leading motive for all attacks on IT infrastructure, and it has been that way for more than three years. Getting control of Monster's data was just the first step of a larger plan - probably to enable some form of spear-phishing.

Spear-phishing is the term used for targeted phishing against a marketing database as opposed to random emailing to non-aligned end users. The criminals that hack customer databases such as Monster.com's and enable spear-phishing lease access to that database to marketers - let's call them "badvertisers" - on a "name per hour" basis.

This is the same basic economic rationale behind the rise of botnets - networks created from millions of hijacked computers, that are leased out to criminals that pretend to be advertisers or rich widows of third-world presidents.

But whereas botnets may be leased by criminals to criminals for anything from a few cents to a few dollars an hour per user/end point, the value of a single, unified customer database like Monster.com's is potentially far higher.

Like all marketers, "badvertisers" understand that messages from a trusted source - or embedded within a trusted source, such as the Wall Street Journal, or Fox News - have far more value than messages from an untrusted source.

This is why legit advertisers get Rush Limbaugh to read those ads out loud on his radio show - his words are far more trusted by his listeners than those of an anonymous announcer. Which means Rush, the more trusted voice, is worth a multiple of what the anonymous announcer would charge.

How much of a multiple? One useful guess is 4.5x - that's the number Hiawatha Bray at The Boston Globe quoted this morning in one of the better-researched articles on the Monster.com problem..

"A 2005 study at Indiana University found that 72 percent of students obeyed the instructions in phishing messages when they appeared to come from a trusted source, while the compliance rate for untrusted messages was just 16 percent."

The ability to target millions of Monster.com customers exclusively with a message that appears to come from a trusted source (Monster.com), is worth many times - 4.5 times, if you agree with the Indiana University study - what a criminal might pay to lease a botnet.

Note: At the end of the day, I'm not sure this attack counts as a "success" from the perspective of the criminals. Smart criminals understand that parasites are more successful when they leave their host (i.e. hijacked database) alive, and most successful if they can remain invisible.

The attackers in this case failed to create much value for themselves because they chose to go too big too fast, causing so much press that even the most in-frequent Monster.com user must now about the attack. By biting off too much, and gaining press attention, the hackers have effectively ruined any chance they might have had for long-term financial gain.

Tuesday, August 28, 2007

VOIP Eavesdropping

Working in this industry is a little like walking into a supermarket and trying to find something "not unhealthy" to eat: everywhere you look, there are problems.

Take, for example, VOIP.

I'm not talking about the issues that bedevilled Skype this past week (although that seems to be developing into a fascinating story about what happens when one node on a peer-to-peer network gets out of sync and "central command" lacks sufficient permissions to prevent disaster) - I'm talking about the issues that are emerging relevant to VOIP and security.

VOIP, as we all know, stands for Voice Over Internet Protocol. And it is the "IP" part of this anagram this is both the root of its greatness and its largest potential weakness. Because if your systems are not architected just right, introducing VOIP into your business can introduce an easily-exploitable vector for corporate espionage.

By corporate espionage, I mean the ability to "listen in", record, or otherwise intrude on your corporation's most sensitive phone discussions.

Will Stofega, research manager for VoIP services at IDC, recently said “One or two years ago, the discussion of VoIP security risks was theoretical. What we’re going to start seeing is the threat of moving from theoretical to reality.”

This is no longer a theoretical threat. Stan Quintana, VP of Managed Security Services at AT&T, who I had the pleasure of meeting last year, believes, when it comes to VOIP traffic, "there is substantial exposure to intercepting that conversational data and monitoring it."

Bogden Materna, CTO and VP Engineering for VOIPshield Systems, recommends deploying a "multi-layer security infrastructure that... consists of... SBCs, VOIP Network Intrusion Prevention Systems (NIPS), VOIP DoS defenses, VOIP Network Intrusion Detection Systems (IDS), Host IPSs, AAA servers, encryption engines and VOIP antivirus software."

That may not be overkill - it is absolutely essential to protect voice communications in an enterprise, and VOIP needs added protection so confidence doesn't wane.

Because, as we saw last week in the Skype situation, people will very quickly start experiencing fond recollections of 100 year old POTS technologies when VOIP clients suddenly become unavailable, or start affecting (or infecting) other clients on the network.

Sunday, August 19, 2007

One and a Half Billion Heartbeats

Many years ago, astronaut-legend Neil Armstrong sat down for an interview with news-legend Walter Cronkite. It was just after the time of the Apollo project, which was coincident with the beginning of the jogging craze.

Cronkite asked Armstrong for his opinion on jogging. Armstrong thought about it for a second, then responded:

"I believe that the Good Lord gave us a finite number of heartbeats and I'm damned if I'm going to use up mine running up and down a street."

This quote has always tickled me. I repeat it whenever anyone asks me to work up a sweat. So I was pleased yesterday, when Geoffrey West, a Santa Fee-based scientist, confirmed what for me has been merely Neil's opinion for the past thirty years.

Interviewed on NPR, West confirmed that the results of his most recent research show the heart of the average mammal, humans included, beats approximately one and a half billion times in its lifetime, regardless of the size of the mammal or its habitat.

In other words, it appears that it doesn't matter if you're an elephant or a mouse. Every mammalian heart is programmed to beat 1.5 billion times - before beating no more.

The story contained a number of nice audio props, such as recordings of the bongo-like heart of a shrew, which beats approximately 1,000 times a minute, and of the whale, whose heart beats (if a low squishy sound can be called a "beat") approximately once every three to four seconds.

But the thing that interested me most was the part the story left out - a quote from one of the most famous humans to yet walk the Earth, which at the time was just his opinion, but which now ranks as a fully-fledged - and very welcome - hypothesis.

Saturday, August 18, 2007

Virtualization: The Next Generation

The success of VMWare's IPO last week took none of its customers - which include Authentium - by surprise. The intra-day run-up, from $29 to over $50 a share (resulting in a $19 billion market cap), shows that market watchers believe that virtualization is barely out of the front gate in terms of economic potential.


One of the reasons for this is because virtual machines are still really only being installed on servers. And despite the obvious reduction in support costs and physical overhead that is enabled by installing multiple virtual machines on a single physical server, many IT administrators are only a small way into their migration plan.

Which means, come rain or shine, VMWare revenues should continue to grow healthily for many, many years.

But are servers really the most profitable line of business? Or are there other forms of virtualization that could enable an even bigger payday, a few years down the line?

I believe there are. According to our experience (and Microsoft's volume pricing tables), for every 30 servers in an organization, there are approximately 500 PCs, or, increasingly, laptops. Obviously, desktops and laptops present an attractive market for virtualization in the future.

However, I don't think we're going to see the same form of virtualization take root on the desktop.

I believe by the time new technologies like VirtualATM, which is based on our VERO ("Virtual Environment, Restricted Operations") virtual environment take seed, purely web-based forms of "the applications formerly known as desktop applications" will have arrived in force, creating a situation where the operating system may become redundant with respect to many of today's tasks.

Certainly, tasks requiring heightened security will use virtualization and restricted runtime environments almost exclusively. It makes *zero* sense for a large bank or online trading firm to expose their transactions to processes running in the non-virtualized environment.

Far better to elevate the application and restrict interaction to only those processes and network assets which can be absolutely trusted - which is what we do with VERO.

Of course, this all begs the question as to what will happen to the faithful desktop PC, and/or Mac? Will our computers simply become pretty boxes capable of instantly downloading any number of virtual environments, such as VERO, and metering their use via mechanisms like KPP?

Microsoft seems to think so. Here's a quote from an article in the Wall Street Journal last year that showed up in a 2006 article by the ever-alert Mary Jo Foley, over at ZDNet.com:

“Meanwhile, a cadre of respected Microsoft computer scientists and programmers formed a group under Chief Software Architect Ray Ozzie to start building software that could be a critical piece of what Windows might become, say people familiar with the work.

That group, says a person familiar with the matter, sees the future of Windows as much more as an Internet service than software that runs on a PC.”


In other words, "Windows as a webOS".

I personally think by this time (2012?), virtualization and servicizing of the services we consumers use the most (web browser, word processor, spreadsheet, financial management software, games, etc.) will be so far along, and so easily accessible and secure, that Microsoft - and Apple - could find themselves in 2012 with highly-virtualized operating systems that no one, except die-hard fans, will want or need to use.

Note: One potential piece of gold at the end of the Microsoft virtual rainbow is KPP - otherwise known as PatchGuard. PatchGuard provides metering support for software application usage and license management - such as desktop applications deployed using Microsoft SoftGrid.

KPP - and Microsoft Update - could become the critical components of the Microsoft webOS. It will be interesting to watch Microsoft's upcoming technical releases, including kernel-level APIs, in this area.

Skype's Problem is PR, Not Technology

Before their 2-day outage this week, it was impossible to imagine that Skype would ever find itself comparable to your typical airline in terms of information policy.

But that is exactly the position that Skype's less than impressive PR strategy has put it in. By releasing little tangible data and punctuating releases with periods of "dead air" up to twelve hours in length, Skype has turned itself from "trusted VOIP top dog" into just another big company that doesn't care how long we're going to sit on the runway.

The PR folks handling the Skype situation seem to have forgotten who built the company into the 220 million user powerhouse it is today: a combination of technology-savvy, socially-networked geeks.

This network of super-smart customers needs to be given much more to chew on than an "algorithm deficiency" - otherwise they will use their gray matter to come up with any number of conspiracies involving viruses, saboteurs and terrorists. Indeed, many such theories are doing the rounds.

Tell us more, Skype. Name the data centers and customer base subsets affected, discuss the nature of the breakdown in encryption that has occurred between your clients and servers, tell us if it was caused by a bad update or a piece of malware - share with us.

You will not lose customers because you chose to share this information: the opposite is much more likely.

As a resident of downtown New York during 9/11, I remain thankful for Rudy Giuliani's handling of the situation, and how much he shared with us during that day. Despite having to manage a broken city, and fires on numerous fronts, he found time to address New York's residents and provide enough information for us to understand, react, plan, navigate, and compensate on that horrible day.

Skype's PR team need to maybe take a leaf out of Rudy's book and think about how people use Skype, and how much more information might be warranted above what is currently being released.